2015-03-31 - NEUTRINO EK

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2015-03-31-Neutrino-EK-traffic.pcap.zip
• 2015-03-31-sandbox-analysis-of-Neutrino-EK-payload.pcap.zip
• 2015-03-31-Neutrino-EK-malware-and-artifacts.zip

 

TRAFFIC

ASSOCIATED DOMAINS:

• Date/Time: 2015-03-31 17:54 UTC

• 176.56.238[.]17 port 36712 - nlhxlmewmy.tildsfdmjesrbkgeje[.]ga:36712 - Neutrino EK
• 110.201.5[.]11 - ns1.starbwqinfo[.]xyz - DNS query and result, no actual traffic
• 110.179.87[.41 - ns7.starbwqinfo[.]xyz - DNS query and result, no actual traffic
• 85.17.144[.]9 port 53 - TCP traffic caused by the malware payload (malformed packet/not DNS)
• 95.211.233[.]121 port 53 - TCP traffic caused by the malware payload (malformed packet/not DNS)
• 95.169.187[.]53 port 53 - TCP traffic caused by the malware payload (malformed packet/not DNS)

 

TRAFFIC:

• nlhxlmewmy.tildsfdmjesrbkgeje[.]ga:36712 - GET /sometime.php?sleepy=3894&unlike=63568&ease=4295&lamp=61867&melt=83945&work=55450&raft=90602
• nlhxlmewmy.tildsfdmjesrbkgeje[.]ga:36712 - GET /tide/4599/flap/attack/mingle/9439/unseen/sigh/share/title/beard/4502/alas/society/better/though/five/20931/
• nlhxlmewmy.tildsfdmjesrbkgeje[.]ga:36712 - GET /sinister/83316/humble/45061/collect/31713/equipment/73714/
• nlhxlmewmy.tildsfdmjesrbkgeje[.]ga:36712 - GET /break.html?anything=miss&decide=when&jump=blow&doom=62654&meat=69220
• nlhxlmewmy.tildsfdmjesrbkgeje[.]ga:36712 - GET /wink.pl?spite=rare&address=62540&brisk=61704&absence=96524&officer=40481&conclusion=9670&slant=76597&
  tune=36989&mask=87474

 

ALERTS

EMERGING THREATS / ETPRO:

• 176.56.238[.]17 port 36712 - ET CURRENT_EVENTS Job314/Neutrino Reboot EK Flash Exploit Nov 20 2014 (sid:2019763)
• 176.56.238[.]17 port 36712 - ET CURRENT_EVENTS Job314/Neutrino Reboot EK Landing Jan 27 2015 (sid:2020321)
• 176.56.238[.]17 port 36712 - ET CURRENT_EVENTS Job314/Neutrino Reboot EK Payload Nov 20 2014 (sid:2020388)
• 85.17.144[.]9 port 53 - ETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53 (sid:2807561)
• 95.211.233[.]121 port 53 - ETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53 (sid:2807561)
• 95.169.187[.]53 port 53 - ETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53 (sid:2807561)
• 85.17.144[.]9 port 53 - ETPRO TROJAN Trojan/Win32.Zbot Covert Channel port 53 (sid:2808226)
• 95.211.233[.]121 port 53 - ETPRO TROJAN Trojan/Win32.Zbot Covert Channel port 53 (sid:2808226)
• 95.169.187[.]53 port 53 - ETPRO TROJAN Trojan/Win32.Zbot Covert Channel port 53 (sid:2808226)

 

SOURCEFIRE VRT (TALOS):

• 176.56.238[.]17 port 36712 - [1:32638:1] EXPLOIT-KIT Sweet Orange exploit kit Adobe Flash exploit on defined port
<
• 85.17.144[.]9 port 53 - T[1:28996:4] MALWARE-CNC Win.Trojan.Bunitu variant outbound connection
• 95.211.233[.]121 port 53 - [1:28996:4] MALWARE-CNC Win.Trojan.Bunitu variant outbound connection
• 95.169.187[.]53 port 53 - [1:28996:4] MALWARE-CNC Win.Trojan.Bunitu variant outbound connection

 

MALWARE

• File name: 2015-03-31-Neutrino-EK-flash-exploit.swf
• https://www.virustotal.com/en/file/6324dcf3f7d56d3de77e27fce59963eadf3f7045397ac9325d78a4e6c8782979/analysis/

• File name: 2015-03-31-Neutrino-EK-malware-payload.exe
• https://www.virustotal.com/en/file/b385b8ec59a4a33c3f2fa291d5389dd6700bfdc0db1bcfa16c947bbb8b191bcc/analysis/

• File name: 2015-03-31-hgacxpp.dll (file dropped by the malware)
• https://www.virustotal.com/en/file/f0b2435b0d20128cac5e023d9fef6289c7b7db50b8c00e74bc357a1eff202b6a/analysis/

 

Click here to return to the main page.